President Signs Executive Order Supporting Migration to EMV

President Obama launched a government initiative today to support the US migration to EMV and improve information sharing on cyberfraud threats.

During an event at the Consumer Financial Protection Bureau, President Obama signed an executive order today aimed at reducing cyberfraud and identity theft. The US government will launch the BuySecure initiative to improve payment security by encouraging the adoption of EMV chip-and-PIN systems at merchant terminals and by enhancing information sharing among consumers and stakeholders in cases of cyberfraud and identity theft.

More than 100 million Americans have lost personal information in a data breach over the last year, and identity theft is the fastest growing crime in the US, the president said.

"The idea that someone halfway around the world could run up thousands of dollars of charges in your name just because they stole your number, or you swiped your card at the wrong place, at the wrong time, that's infuriating," he said.

The president endorsed the US move to EMV chip-and-PIN card technology, citing the drop in fraud in card-present transactions that other countries have seen after adopting the technology. "We know this technology works -- when the UK switched to a chip-and-PIN system, they cut fraud in stores by 70%."

As part of the BuySecure intiative that the president signed into action, the federal government will begin installing chip-and-PIN compatible payments terminals at government locations that accept consumer payments, such as passport offices and national parks. The government will also start issuing chip-and-PIN cards next year for programs like SmartPay and Direct Express.

The president also urged retailers and issuers to adopt EMV chip-and-PIN technology. He commended several private companies for their efforts to adopt the technology and educate consumers about its use and benefits. A group of US retailers, including Home Depot, Target, Walmart, and Walgreens, have pledged to adopt the technology at more than 15,000 store locations by the beginning of next year, the president said. American Express has promised to launch a $10 million program in January to help small businesses adopt chip-and-PIN terminals. And Visa is launching a $20 million campaign to educate consumers about chip-and-PIN technology after conducting a survey that found that 48% of consumers are not aware of it.

One of the fastest ways for consumers to find out if their identity has been stolen is by monitoring their credit reports, the president said. The executive order stated that the Federal Trade Commission will streamline resources and information to help consumers resolve cases of identity theft at a new website, identitytheft.gov. Federal agencies will work to improve information sharing on fraud cases with the goal of halving the average amount of time it takes to remediate an identity theft case in the next two years.

Private companies also pledged to help consumers monitor their credit scores to detect fraud and identity theft cases. Citigroup said that it will partner with FICO to deliver free credit score reports to its credit card customers beginning in January. And MasterCard said it will provide free 24/7 identity theft monitoring and resolution services for all its cardholders.

The president also announced that the White House would host a cyber security summit this year that will bring together industry players to discuss best practices and next-generation technologies like mobile payments.

Payment players and industry groups seemed to welcome the government's support for the migration to EMV technology. "Today's announcement should serve as a catalyst for widespread adoption of chip and PIN card security," Sandy Kennedy, president of the Retail Industry Leaders Association, said in a press release. "Every American cardholder deserves the highest level of security available today. The antiquated card security system in place today in the US makes it far too easy for criminals to commit card fraud."

Others said that, even though EMV adoption would be a positive step forward, other measures need to be taken to protect consumers against today's sophisticated cybercriminals.

"While chip-based technology is important, it's not a total solution to the issue of data security," Richard Hunt, president and CEO of the Consumer Bankers Association, said in a press release. "Many financial institutions and retailers already have a plan in place to adopt its use -- in addition to our own industry's stringent federal data security requirements. Other technologies are emerging to address online and mobile payments fraud, such as tokenization, which is being spearheaded by financial institutions and card networks in their effort to protect consumers."

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Thank you for your comment. Just to be clear, the order doesn't demand that businesses implement EMV. It means that federal agencies that issue payments cards (for instance, prepaid cards for federal benefits) will start replacing their cards with EMV ones. Also, federal agencies that take payments from consumers (like when you pay to get into a national park) are going to replace their card terminals with ones that are EMV compatible. And it also means that the government will also lend support to the players (like the card networks) that are pushing EMV, maybe through helping to coordinate efforts across industries, for example. But the executive order doesn't mean that EMV has to be implemented at every poitn of sale.

NFC/EMV rules are going to have to be updated, as you say. Your points on tokenizationa and encryption at the point of sale are very good. Encryption at the point of sale would be a big help, but merchants just haven't implemented it. EMV by itself though won't solve every problem. These other measures need to be explored as well. The final answer is almost definitely a combination of different solutions, like you say.

After attending a conference where Visa discussed EMV certification for merchants, I can understand why it's called "chip and pain" in Europe. However, there was mention of possibly streamlining the merchant EMV certification and activation process.

What I found interesting was that the President's order mentioned buying EMV-capable equipment, but I don't recall where it said EMV had to be implemented. "Enhanced security" could be encryption-at swipe (which is easier to implement) or tokens. I think a combination of features (P2PE with EMV; Tokens with EMV; etc.), will be the best way to reduce fraud and minimize impact from breaches.

I'm still not sure about NFC with EMV. I suspect EMVCO will modify NFC/EMV rules in the next 6 months, particularly with Apple Pay pushing NFC. Most NFC transactions today are in magstripe format.

I think EMV is going to have to be a stopgap though until mobile payments become popular, which I don't think will happen for years still. I see biometrics and geo-location being used for security once mobile payments take off. But in the mean time the industry needs to better secure card trasnactions until mobile payments adoption becomes much higher. EMV won't do that all by itself. But it is way better than mag stripe.

Well put. It's one thing to be a fast follower (first, wait and see if the technology works and if it does, implement it quickly). But EMV was proven years ago, so this doesn't fall into the fast follower category. This falls into the, "umm, what do we do now? Yeh, EMV, sounds good. Let's do it!" category.

With this move it seems like the US is just playing catch up to the rest of the world. But, chip and pin is not the answer to help protect against breaches. In fact, as others have pointed out, biometric security is already a step ahead of chip and pin. By the time this gets implemented, it will be 3-4 generations behind the technology curve.

Thank you for your comment. You are definitely right that EMV wouldn't put an end to the data breaches we're seeing. My understanding though is that it would make the card data useless if it were stolen because EMV cards use a dynamic CVC. In the end this is only one part of a more secure ecosystem for payments. That can't be emphasized enough. Things like new authentication factors and encryption at the point of the sale also need to be implemented. And many smaller-sized players in the ecosystem, like community banks, or small merchants, are going to struglle with the costs of all of this. The whole question of who will pay for all of this is still very much in the air, even with the government putting its support behind EMV.

The President mentioned mobile specifically when he talked about the cyber security summit that the White House will be hosting. Between mobile payments and mobile POS systems, mobile devices are reshaping the payments at a fast pace. The summit seems to be aimed at trying to get ahead of the criminals in terms of leveraging new technology trends like mobile.

I'm not sure how I feel about this. Yes, chip and PIN is a better solution than what we have, but is it the right, long-term strategy? I say no. Community banks are already struggling to find revenue sources and this will be, yet another huge expense that we will likley see little to no benefits from. Besides that, do most people even realize that EMV wouldn't have done a thing for breaches such as JPM? hmm..